Why would there ever be traffic with that as the source IP?
Because that is the local firewall IP address assigned to the tunnel interface per the MS config file for the VPN. The firewall sends egress traffic initiated from the firewall out the closest interface, thus the APIPA address on the xfrm tunnel interface.
Why would a firewall ever initiate traffic out of that interface?
I’m trying to understand here. If it’s routing, it’s passing other machines traffic. And not it’s own traffic.
The firewall can locally authenticate users or authenticate against RADIUS and LDAP directory services. This is so the user has a single account that needs to be managed
When the user supplies their credentials to the firewall, the firewall sends a password hash to the LDAP server and if this is successful, then the user can access data in the user portal and can access their assigned network resources via a VPN client.
Building out and managing multiple accounts for users is extra work for IT staff. Using a central authentication service makes life easier for IT and users, for the fewer credentials they have to memorize, the better. Central Auth also gives IT staff one place to disable accounts when necessary.